Overview

overview

10

Static

static

5

f9daef0974...18.exe

windows7-x64

10

f9daef0974...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-09-2024 06:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9daef097427637a4083ae60bbc8459d_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    f9daef097427637a4083ae60bbc8459d

  • SHA1

    9850d1be79b6090009aa6665cb7f25b2e070aabb

  • SHA256

    869ac9923bff590a255e20b12e5f923d010f7a23f3c4016d3f1411170ee550fd

  • SHA512

    44970c912afe47f19e707aeb3f1ba92dc7b0002989fa48b80aafb9ec268f12efeb139af51162b706096822a1daeb2343227977dd83c47373b6f1c350e9459f57

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9daef097427637a4083ae60bbc8459d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f9daef097427637a4083ae60bbc8459d_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Windows\SysWOW64\jumnvjzgog.exe
      jumnvjzgog.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\Windows\SysWOW64\mrwabocd.exe
        C:\Windows\system32\mrwabocd.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:496
    • C:\Windows\SysWOW64\jlrwkhohbidfnou.exe
      jlrwkhohbidfnou.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1932
    • C:\Windows\SysWOW64\mrwabocd.exe
      mrwabocd.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2424
    • C:\Windows\SysWOW64\btutfbwxbpuop.exe
      btutfbwxbpuop.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1636
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

6
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    b3c86083e0f3aa839f7dedec0d0a9721

    SHA1

    a327cf6a6a4cef728fd791a56c9ebaf912e4ad4d

    SHA256

    1f02f1eb80a1e7efe5b84011b5f0319e21c35c7c7b2605250dedd8227bccc0b0

    SHA512

    1b8536c927e7a4ebeb086cbb0512f50706d6bf54c9b0437fdfeff8aa984f98b0f6d27c0d772a0389dadb1d98faa327aa9048cf55163be3588c2d25f9f2995cbf

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    dd81cd69fa7ffa21a0c2709c5d8fd251

    SHA1

    d58bdd4b3ba84ca511f0eef87f47bda0b12bc863

    SHA256

    83926c2a663969f02b26cbd86608a670332171919c521f8f567f11cf830017cb

    SHA512

    55275727aa0555704044d19028d40caf609f1a3a12879a7f3e28a78df5b4753e7238ff388a84d730fca17d27cee11637b6c3d33dbe3d23851ec705122435849a

    Download Submit

  • C:\Program Files\WatchAdd.doc.exe
    Filesize

    512KB

    MD5

    aff4e85bd8ae5bbdbc3e21ea5e2a4f09

    SHA1

    44223a10ccf8ebac4db01f68da9ba6e3848d95cc

    SHA256

    18df2e1bb22cd06564e2bd9389e0d789d1f0421d52976b7102344bf1aef57bf5

    SHA512

    7904804498dd2f5f9f6efeb119006bd5039bbda76e21ffec93b0984ecec8a5f64d10ba42237cb2304c3b9c6e0cb5dc68e4537c5c7fdc412d163bd943fb148008

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDDDD6.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    392B

    MD5

    88c0cf68cdb126106d7cde11868a8968

    SHA1

    ded0ad109ece755005be142084cfe850d40fcf6d

    SHA256

    b94af69f206433e402ce9a1ef94299546b8444fffdb37d079a47d9f40061435c

    SHA512

    7f52a2c0b23ca81c994b45f661b08ed499fc4da0c046bc6f5c59cdeb4bd10ab5c23ae4ccca3d61ddad65b87469fe50446791a55826ce0ba1c7816dbd9d04b6f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    4KB

    MD5

    6486f0c57825e32a957af0c48a03abad

    SHA1

    e5e24ab59164bd264b4d22f1d98ceb4455f58162

    SHA256

    fbd6c12b4577efe6d7358ec6ff4073f98f608a7f241f3dcddb3372d282dac8de

    SHA512

    ca18c4636cf3c862bbc2b4f59bc992eedb2277054a528ded2da1b3190a8396e0369731adb5764b8f96789a3442b888bed7948ae8881664f284961336ca7261c6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    5KB

    MD5

    e3c620d33490086635ef7ccd7c5d6b89

    SHA1

    4dfa91b2655b4a2e257fd24a629e534b39906e97

    SHA256

    e63f4d3737c002e0d82c7a30484b23a420d33bdf91f49b67c04f63ee398c2bbc

    SHA512

    604d0b292fe97287cc2ac009896d31225612860587a525cf52311d6210cf4f19bb23d2af8216a4d903484927ae859a2f66a25495d4950bbfacb812f5f40e3591

    Download Submit

  • C:\Windows\SysWOW64\btutfbwxbpuop.exe
    Filesize

    512KB

    MD5

    d4eb5d750a6d3b1025c7515aa7938521

    SHA1

    5782fe50ca4922097e4de1164c172c5f24c5d304

    SHA256

    b0e726efeee81be4482b483a7b16a6f7dacae24367cf521eee4d6af9c2efab36

    SHA512

    6e342f09e17e27a05ba20d59fb8e2912252a86d2b2e4ed53bb524ab0cb063f02554f35284ff00c7d4f7e91951d5abaa60a7aac797058d3d67ac6d70d6f2e805f

    Download Submit

  • C:\Windows\SysWOW64\jlrwkhohbidfnou.exe
    Filesize

    512KB

    MD5

    034515ea49b2ba66e45b4c25ca260af5

    SHA1

    c7ae63ec5c4b17d9dd7f1c621406484a610fa1b5

    SHA256

    bd52372fffdf34c4efce3dc3612e0b119dbdfc2515a811d6515577c129e3435e

    SHA512

    7f98b2e64d5b732b05bec379ac731d6febceab6fe06544fe08b28f8c74189993a234728e96a487428ec4d192da979ca27f82ab9168dcb22e915c2dba4a3b13ef

    Download Submit

  • C:\Windows\SysWOW64\jumnvjzgog.exe
    Filesize

    512KB

    MD5

    4c25071c61913d27d7ce7647703321f3

    SHA1

    98434bc5d3af1f7c63cdf3d787ab0775b13c25ad

    SHA256

    6fbfe737f7974f06d2fbf6e649916171e93619868ca25938441d35ae44f717cd

    SHA512

    0dc034fb933499376e396608397b265f3e03bc1eff09fb5946ea0753c202fdcc49961fb3aa7c38f55bbc455c1dd60435d75f5f4b29fdc4ecaa655f65c7d68e25

    Download Submit

  • C:\Windows\SysWOW64\mrwabocd.exe
    Filesize

    512KB

    MD5

    7d64a0ad7e3f71c943de7049dd845457

    SHA1

    e555bacf6f2e586456dbb9dc6b7025da721d8546

    SHA256

    bfc4604f9a5e6f003418363d952fb0eb6593e2aef68302a80bf0bebfd7288100

    SHA512

    724a5fb0abf8baffe0d3e37a7a67ec0f8389cd67644e57c2f3f1a11af030bedb3f08c934c863e326b956e352f85339cae838b054bbd6925c8745fcce56b599b4

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    258a8ef25c5c089986e267ad8c0db6f3

    SHA1

    950fddbb76592b80a0e7de11bfad6c65d80b4492

    SHA256

    b9cb06a35344e6da7a50ba6549c5b68c022025ab92736b90949979d8ab679d44

    SHA512

    1e8b8ef1e6ead0c9ebc54eaf46361f8beb67e81ebca3d83c425a955ef6d91b313809a422f64ececf57afbffe996c33d146342eb286a6285f40d85d843ca4759a

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    7c7c966c36c2d3133edc7c73866753ff

    SHA1

    9eae2cadd71a4657419499ca2ad8122e6f2f7ff6

    SHA256

    79d7050695739a71dcf88950dc78feef766414b8a42e7eca1f415330c31623df

    SHA512

    f51f87eacf21446826421e65273546317e9838e6e1bb40457fb8722df78a2c2ec98ce17c352a239c068aa3b1bbaad9f766442095df9ef261f78b72165ccc836b

    Download Submit

  • memory/960-35-0x00007FFE63110000-0x00007FFE63120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/960-39-0x00007FFE63110000-0x00007FFE63120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/960-38-0x00007FFE63110000-0x00007FFE63120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/960-36-0x00007FFE63110000-0x00007FFE63120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/960-40-0x00007FFE608B0000-0x00007FFE608C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/960-42-0x00007FFE608B0000-0x00007FFE608C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/960-37-0x00007FFE63110000-0x00007FFE63120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/960-254-0x00007FFE63110000-0x00007FFE63120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/960-255-0x00007FFE63110000-0x00007FFE63120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/960-256-0x00007FFE63110000-0x00007FFE63120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/960-253-0x00007FFE63110000-0x00007FFE63120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3624-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download